Toymaker coughs up $650k after three million youngsters have info swiped

The US Federal Trade Commission (FTC) today agreed to a settlement deal with a children's electronic toymaker it had accused of collecting kids' personal information and then failing to properly secure that data.

The government watchdog said VTech will pay $650,000 and agree to a set of privacy and security requirements in order to settle charges it violated both the Children's Online Privacy Protection Act (COPPA) and the FTC Act.

The settlement deal puts to bed allegations by the FTC that VTech broke the law with its operation of its Learning Lodge, Kid Connect, and Planet VTech games and educational websites for kids. Specifically, that the company did not properly secure the information on millions of children and parents prior to the 2015 hack of its services and theft of customer data.

The breached Learning Lodge and Kid Connect services were said to have hosted around 2.25 million accounts that contained information on roughly three million kids. The accounts had things like the child's name, date of birth, and gender as well as the parent's name, physical address, email address, and security question answers.

VTech was accused of failing to properly encrypt that information (a violation of COPPA) and lying to parents about the extent of data collection and level of security it used (a violation of the FTC Act).

"As connected toys become increasingly popular, it’s more important than ever that companies let parents know how their kids’ data is collected and used and that they take reasonable steps to secure that data," said FTC chairwoman Maureen Ohlhausen.

"Unfortunately, VTech fell short in both of these areas."

The FTC and the US Department of Justice officially filed the complaint [PDF] against VTech Monday morning, at the same time it announced the settlement deal [PDF]. Under the agreement, VTech will not have to admit or deny any wrongdoing.

The toymaker will be required to cut the FTC a $650,000 check – about 22 cents per affected child – to settle the case. VTech will also agree to a stricter set of compliance requirements, including regular third-party security audits to check whether it is properly storing and encrypting its collected information, and to make sure it is getting express consent from parents before it collects and personal information. ®